Anti-Phishing Service Launched
Industry Groups Pilot Trusted Email Registry to Help Banks Fight FraudBITS, the technology policy division of The Financial Services Roundtable, and the Financial Services-Information Sharing and Analysis Center (FS-ISAC) say the Trusted Email Registry is currently being piloted by 15 institutions.
This new service allows institutions to monitor valuable email traffic, improving the ability to identify and defend against phishing attacks via fraudulent emails, says Paul Smocer, vice president of Security for BITS.
After completion of the pilot, the program will be available to the 98 members of The Financial Services Roundtable, including its affiliates, and 115 FS-ISAC members, Smocer says. Later, the registry may be made available to non-member institutions.
How it Works
The registry's basic service will allow institutions to monitor a limited number of their domains' email traffic, receive reports and have access to a Transport Layer Security (TLS) Key Contact Registry. The Enhanced Service provides:
- Monitoring of a larger number of domains;
- Deployment services to establish DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF);
- Policy enforcement/anti-spoofing tools for DKIM and SPF and ISP intermediation and support.
There are two ways this registry will help the industry, Smocer says. The service model will bring a lot more capability to monitor email traffic across Internet service providers (ISPs). And nstitutions will be able to see how traffic is flowing -- what is getting authenticated and what isn't. With this service, institutions will be able to see domains that are sending mail, and determine if they are supposed to send mail.
This registry is one of several steps that BITS has taken in the past several years to bolster security and industry efforts to adopt new email protections:
- In 2006, BITS formed an Email Security project group that aimed to increase the security and integrity of email for institutions;
- In 2007, the project group published an "Email Security Toolkit: Protocols and Recommendations for Reducing the Risks" report that defined best practices and showed technologies financial institutions could adopt to strengthen email security, particularly focusing on three protocols - DKIM, SPF, and TLS;
- In 2009, BITS and eCert released "Email Sender Authentication Deployment," which covered DKIM and SPF.
After the first paper was released in 2007, Smocer says BITS saw several issues that were standing in the way of broad adoption of the technology. "One was the understanding the protocols; they are not always easy to understand. The other was the broad range of institutions and the varying technology they use."
The final key point that Smocer says was the biggest impediment was the nature of the "one-off" relationships that many institutions have with their ISP. "Imagine you're an ISP, and you have every single institution approaching you to do email authentication. It would be a major headache."
This is why this service is going to be valuable to both institutions and the ISPs, he adds. It will serve as a one-stop shop for the financial institution to connect to all the ISPs.